Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to Create Dynamic Dropdown Inputs at Search Results within a Form (Version 6.3.3)

_gkollias
SplunkTrust
SplunkTrust
‎10-04-2016 07:24 AM

Hi,

I’m looking for a way to add dropdown inputs to the search results of a form.

I’m looking for something where the inputs are based on the initial selection from the form (so there are 6 options to choose, and each option displays different field values).

Here is a small sample of the current form:

<form>
  <searchTemplate>
    <![CDATA[ `$tkn_search$` $tkn$ $tkn$ $tkn$ $tkn$ $tkn$ $tkn$ $tkn$
     | `$tkn_transaction_search$`]]>
  </searchTemplate>
  <fieldset autoRun="false" submitButton="true">
    <input type="dropdown" searchWhenChanged="false" token="tkn_search">
      <choice value="search_a">A</choice>
      <choice value="search_b">B</choice>
      <choice value="search_c">C</choice>
      <choice value="search_d">D</choice>
      <choice value="search_e">E</choice>
      <choice value="search_f">F</choice>
      <change>
        <!-- http://docs.splunk.com/Documentation/Splunk/6.4.2/Viz/EventHandlerReference#Condition_element -->
        <condition label="A">
          <set token="tkn_transaction_search">txn_a</set>
        </condition>
        <condition label="B">
          <set token="tkn_transaction_search">txn_b</set>
        </condition>
        <condition label="C">
          <set token="tkn_transaction_search">txn_c</set>
        </condition>
        <condition label="D">
          <set token="tkn_transaction_search">txn_d</set>
        </condition>
        <condition label="E">
          <set token="tkn_transaction_search">txn_e</set>
        </condition>
        <condition label="F">
          <set token="tkn_transaction_search">txn_f</set>
        </condition>
      </change>
    </input>
<various_inputs> </various_inputs>
    <input type="time" searchWhenChanged="false">
      <label>Select time:</label>
      <default>
        <earliestTime>@d</earliestTime>
        <latestTime>now</latestTime>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table id="results">
        <title>Your Results</title>
      </table>
    </panel>
  </row>
</form>

Any point of direction within the docs or sample code would be greatly appreciated.

0 Karma
Reply

rjthibod
Champion
‎10-04-2016 11:30 AM

There are a couple of ways of doing the kind of thing you want. One is simpler and requires more inputs, another is more complex and may not work in all cases but will reduce the number of inputs.

The first thing to know is how to use the depends= and rejects= settings on the <input> elements. You can hide or show elements of the dashboards using the tokens you are setting by referencing the tokens in the depends= and rejects= settings. For example, the following dropdown only appears when token_A and token_B are defined to some value and token_C is undefined. More details here: http://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/PanelreferenceforSimplifiedXML

<input searchWhenChanged="true" token="split_field" type="dropdown" depends="$token_A$,$token_B$" rejects="$token_C$">
      <label>Split-by Field</label>
      <choice value="user">User</choice>
      <choice value="host">Host</choice>
      <choice value="domain">Domain</choice>
      <default>domain</default>
</input

So you should be able to see a way to combine tokens in a logical fashion to determine which ones are used or not. The number of combinations of inputs and what values to show in those inputs will determine how complex this gets. The other thing that will determine how complex is if you want certain values to appear in the second-level inputs based on searches that populate those values. I can't really spell a simple example here, but just be sure you test everything out.

0 Karma
Reply

_gkollias
SplunkTrust
SplunkTrust
‎10-04-2016 12:16 PM

rjthibod,

Interesting! I'll play around with this and let you know how it goes.

Thanks!

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎10-05-2016 07:53 AM

Also @KolGr001, if still stuck by the time we do office hours again, we can work through this. In the interim, please check out the latest docs as you might notice that some of the simple xml tags you were using have been superseded by newer versions that are easier to use. If you end up nailing this then go ahead and accept @rjthibod's answer?

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...